[strongSwan] configuring charon with installpolicy=no

Andreas Steffen andreas.steffen at strongswan.org
Fri May 14 14:58:10 CEST 2010


Hi,

strongSwan matches XFRM_ACQUIRE messages triggered by IPsec
policies installed in the kernel based on the reqid. It seems
that the manual spdadd command installs the policies with
reqid 0 whereas the charon daemon start to number connections
installed with auto=route starting with reqid 1. Therefore
no match for the acquire message is found and the connection
does not come up.

Starting with version 4.4.0 strongswan allows to assign a fixed reqid
to a connection definition with the reqid= option, e.g.

conn CONFIG
      ...
      reqid=3
      auto=route

Regards

Andreas

On 05/14/2010 02:27 PM, Ayyash, Mohammad (NSN - FI/Espoo) wrote:
> Hi,
>
> First off, I googled a lot before sending this email, but found no answer.
>
> My question is:
>
> --------------------
>
> - how to properly configure Charon with “installpolicy=no”, so that I
> will be able to control SPD policies priority order.
>
> More details:
>
> --------------------
>
> I have two hosts, first one (host1) has IP addresses 10.0.0.1/24,
> 20.0.0.1/24, second one (host2) has ip address 30.0.0.1/24 40.0.0.1/24.
>
> The scenario is a vpn is to be established between 20.0.0.1 ===
> 40.0.0.1, serving subnets 10.0.0.0/24 === 30.0.0.0/24.
>
> I want to be able to insert (just of the sake of example) and exception
> to this security policy, that if you a ping goes from 10.0.0.1 to
> 30.0.0.1 (and the otherway around), it should be passed through
> un-encrypted.
>
> Ideally, I should be able to introduce SPD policies with higher
> priorities, in a way that the ping policy has higher priority (I am
> using setkey).
>
> Host1:
>
> spdadd 10.0.0.0/24 30.0.0.0/24 icmp –P out prio 1001 none;
>
> spdadd 30.0.0.0/24 10.0.0.0/24 icmp –P in prio 1001 none;
>
> spdadd 10.0.0.0/24 30.0.0.0/24 any –P out prio 1000 ipsec
> esp/tunnel/20.0.0.1-40.0.0.1/unique;
>
> spdadd 30.0.0.0/24 10.0.0.0/24 any –P in prio 1000 ipsec
> esp/tunnel/40.0.0.1-20.0.0.1/unique;
>
> Host2:
>
> spdadd 10.0.0.0/24 30.0.0.0/24 icmp –P in prio 1001 none;
>
> spdadd 30.0.0.0/24 10.0.0.0/24 icmp –P out prio 1001 none;
>
> spdadd 10.0.0.0/24 30.0.0.0/24 any –P in prio 1000 ipsec
> esp/tunnel/20.0.0.1-40.0.0.1/unique;
>
> spdadd 30.0.0.0/24 10.0.0.0/24 any –P out prio 1000 ipsec
> esp/tunnel/40.0.0.1-20.0.0.1/unique;
>
> (the above example works with IKEv1 Racoon, which doesn’t try to play
> with policies)
>
> In order to achieve the same with Charon, I have either 2 ways: (A)
> prevent Charon from install the SPD policies, or (B) tell charon how to
> treat priorties.
>
> Solution (A):
>
> ============
>
> Prevent Charon from installing policies, and do that manually instead. I
> didn’t go so far here: I tried to use installpolicy=no. Here is what I
> did (only “ipsec” policy is tried)
>
> Host1:
>
> spdadd 10.0.0.0/24 30.0.0.0/24 any -P out ipsec
> esp/tunnel/20.0.0.1-40.0.0.1/unqiue;
>
> spdadd 30.0.0.0/24 10.0.0.0/24 any -P in ipsec
> esp/tunnel/40.0.0.1-20.0.0.1/unqiue;
>
> setkey -DP
>
> 30.0.0.0/24[any] 10.0.0.0/24[any] any
>
> in prio def ipsec
>
> esp/tunnel/40.0.0.1-20.0.0.1/require
>
> created: May 14 14:11:13 2010 lastused:
>
> lifetime: 0(s) validtime: 0(s)
>
> spid=8744 seq=2 pid=14660
>
> refcnt=1
>
> 10.0.0.0/24[any] 30.0.0.0/24[any] any
>
> out prio def ipsec
>
> esp/tunnel/20.0.0.1-40.0.0.1/require
>
> created: May 14 14:11:13 2010 lastused:
>
> lifetime: 0(s) validtime: 0(s)
>
> spid=8737 seq=1 pid=14660
>
> refcnt=1
>
> 30.0.0.0/24[any] 10.0.0.0/24[any] any
>
> fwd prio def ipsec
>
> esp/tunnel/40.0.0.1-20.0.0.1/require
>
> created: May 14 14:11:13 2010 lastused:
>
> lifetime: 0(s) validtime: 0(s)
>
> spid=8754 seq=0 pid=14660
>
> refcnt=1
>
> ipsec.conf:
>
> config setup
>
> charonstart=yes
>
> plutostart=no
>
> charondebug="knl 2, dmn 2, ike 2, net 2, cfg 2, job 2"
>
> conn %default
>
> keyexchange=ikev2
>
> auto=route
>
> installpolicy=no
>
> ca strongswan
>
> cacert=/etc/ipsec/certs/ipsec.d/cacerts/cacert.pem
>
> conn CONFIG
>
> rekeymargin=2880
>
> rekeyfuzz=100%
>
> left=20.0.0.1
>
> right=40.0.0.1
>
> leftsubnet=10.0.0.0/24
>
> rightsubnet=30.0.0.0/24
>
> leftprotoport=%any
>
> rightprotoport=%any
>
> authby=secret
>
> leftid=20.0.0.1
>
> rightid=40.0.0.1
>
> ike=aes128-md5-modp1536
>
> esp=aes128-sha1
>
> type=tunnel
>
> ikelifetime=28800s
>
> keylife=28800s
>
> now start starter:
>
> $starter --nofork
>
> Starting strongSwan 4.3.6 IPsec [starter]...
>
> 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
>
> 00[KNL] listening on interfaces:
>
> 00[KNL] eth0
>
> 00[KNL] 20.0.0.1
>
> 00[KNL] fe80::209:6bff:fe58:6492
>
> 00[KNL] eth1
>
> 00[KNL] 192.168.0.250
>
> 00[KNL] 10.0.0.1
>
> 00[KNL] fe80::209:6bff:fe58:6493
>
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
>
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
>
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
>
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
>
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
>
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>
> 00[CFG] loaded IKE secret for 20.0.0.1 40.0.0.1
>
> 00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509
> pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown
> attr resolve
>
> 00[JOB] spawning 16 worker threads
>
> charon (18334) started after 100 ms
>
> 01[JOB] started worker thread, ID: 1
>
> 01[JOB] no events, waiting
>
> 03[JOB] started worker thread, ID: 3
>
> 04[JOB] started worker thread, ID: 4
>
> 05[JOB] started worker thread, ID: 5
>
> 06[JOB] started worker thread, ID: 6
>
> 06[NET] waiting for data on raw sockets
>
> 08[JOB] started worker thread, ID: 8
>
> 08[CFG] received stroke: add connection 'CONFIG'
>
> 08[CFG] conn CONFIG
>
> 08[CFG] left=20.0.0.1
>
> 08[CFG] leftsubnet=10.0.0.0/24
>
> 08[CFG] leftsourceip=(null)
>
> 08[CFG] leftauth=(null)
>
> 08[CFG] leftauth2=(null)
>
> 08[CFG] leftid=20.0.0.1
>
> 02[JOB] started worker thread, ID: 2
>
> 07[JOB] started worker thread, ID: 7
>
> 09[JOB] started worker thread, ID: 9
>
> 10[JOB] started worker thread, ID: 10
>
> 11[JOB] started worker thread, ID: 11
>
> 12[JOB] started worker thread, ID: 12
>
> 13[JOB] started worker thread, ID: 13
>
> 14[JOB] started worker thread, ID: 14
>
> 15[JOB] started worker thread, ID: 15
>
> 16[JOB] started worker thread, ID: 16
>
> 08[CFG] leftid2=(null)
>
> 08[CFG] leftcert=(null)
>
> 08[CFG] leftcert2=(null)
>
> 08[CFG] leftca=(null)
>
> 08[CFG] leftca2=(null)
>
> 08[CFG] leftgroups=(null)
>
> 08[CFG] leftupdown=(null)
>
> 08[CFG] right=40.0.0.1
>
> 08[CFG] rightsubnet=30.0.0.0/24
>
> 08[CFG] rightsourceip=(null)
>
> 08[CFG] rightauth=(null)
>
> 08[CFG] rightauth2=(null)
>
> 08[CFG] rightid=40.0.0.1
>
> 08[CFG] rightid2=(null)
>
> 08[CFG] rightcert=(null)
>
> 08[CFG] rightcert2=(null)
>
> 08[CFG] rightca=(null)
>
> 08[CFG] rightca2=(null)
>
> 08[CFG] rightgroups=(null)
>
> 08[CFG] rightupdown=(null)
>
> 08[CFG] eap_identity=(null)
>
> 08[CFG] ike=aes128-md5-modp1536
>
> 08[CFG] esp=aes128-sha1
>
> 08[CFG] mediation=no
>
> 08[CFG] mediated_by=(null)
>
> 08[CFG] me_peerid=(null)
>
> 08[KNL] getting interface name for 40.0.0.1
>
> 08[KNL] 40.0.0.1 is not a local address
>
> 08[KNL] getting interface name for 20.0.0.1
>
> 08[KNL] 20.0.0.1 is on interface eth0
>
> 08[CFG] added configuration 'CONFIG'
>
> 02[CFG] received stroke: route 'CONFIG'
>
> 02[CFG] proposing traffic selectors for us:
>
> 02[CFG] 10.0.0.0/24 (derived from 10.0.0.0/24)
>
> 02[CFG] proposing traffic selectors for other:
>
> 02[CFG] 30.0.0.0/24 (derived from 30.0.0.0/24)
>
> configuration 'CONFIG' routed
>
>
> at this point, it is really irrelevant if you configure host2 or not,
> simple because nothing will be sent. Try a ping from host2 to host1
> (which should be encrypted)
>
> ping –I 30.0.0.1 10.0.0.1
>
> 3[KNL] received a XFRM_MSG_ACQUIRE
>
> 03[KNL] XFRMA_TMPL
>
> 03[KNL] creating acquire job for policy 10.0.0.1/32[icmp/8] ===
> 30.0.0.1/32[icmp] with reqid {0}
>
> 10[CFG] trap not found, unable to acquire reqid 0
>
> note that after this ping,a one direction SAD is created:
>
> setkey -D
>
> root at pennywise ipsec-tools-0.8-alpha20090422]# setkey -D
>
> 20.0.0.1 40.0.0.1
>
> esp mode=tunnel spi=0(0x00000000) reqid=0(0x00000000)
>
> seq=0x00000000 replay=0 flags=0x00000000 state=larval
>
> created: May 14 15:22:52 2010 current: May 14 15:22:58 2010
>
> diff: 6(s) hard: 165(s) soft: 0(s)
>
> last: hard: 0(s) soft: 0(s)
>
> current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
>
> allocated: 0 hard: 0 soft: 0
>
> sadb_seq=0 pid=18395 refcnt=0
>
> given the spi=0, I guess this is just an initialized one, not even yet
> completed.
>
>
> As far as I could tell from “trap not found” error message, charon is
> trying to find a matching SPD policy before it started IKE negotiation,
> but it is not able to find it? why is that?
>
>
> Solution (B):
>
> ============
>
> Is there a way to control the order at which Charon installs SPD policies?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list